CVE-2024-24754: 
PHP vulnerability analysis and mitigation

A body parsing inconsistency vulnerability was discovered in Bref (versions <2.1.13) affecting the Event-Driven Function runtime when handling RequestHandlerInterface. The vulnerability, identified as CVE-2024-24754, was disclosed on February 1, 2024. The issue occurs during the conversion process of Lambda events to PSR7 objects, specifically when parsing multipart form data with keys ending in an open square bracket ([) (GitHub Advisory).

The vulnerability exists in the parseKeyAndInsertValueInArray method within bref/src/Event/Http/Psr7Bridge.php. When processing multipart form data, the conversion process produces different output compared to plain PHP for keys ending with an open square bracket ([). For example, a form field named 'key0[key1][key2][' with value 'value' would be parsed differently: in plain PHP it would create a nested array structure, while in Bref it would create a malformed array structure with the entire key as a single index (GitHub Advisory).

The inconsistency in body parsing between Bref and plain PHP implementations could lead to vulnerabilities and undefined behaviors depending on the application logic. The severity of this vulnerability is rated as Low (GitHub Advisory).

The vulnerability has been patched in version 2.1.13 of Bref. The recommended remediation is to upgrade to this version or later. The fix involves using PHP's parse_str function to parse body parameters, ensuring consistency with plain PHP behavior (GitHub Advisory).